elastic · nastasha-solomon · Jul 17, 2025 · Jul 15, 2025 · Jul 15, 2025 · Jul 15, 2025
@@ -8,7 +8,7 @@ products:
   - id: kibana
 ---
 
-# View alerts [view-alerts]
+# View and manage alerts [view-alerts]
 
 When the conditions of a rule are met, it creates an alert. If the rule has actions, they run at the defined frequency. For example, the rule can send email notifications for each alert at a custom interval. For an introduction to the concepts of rules, alerts, and actions, refer to [Alerting](../alerts.md).
 
@@ -70,3 +70,37 @@ An alert can also be in a "flapping" state when it is switching repeatedly betwe
 If an alert is active or flapping, you can mute it to temporarily suppress future actions. In both **{{stack-manage-app}} > Alerts** and **{{rules-ui}}**, you can open the action menu (…) for the appropriate alert and select **Mute**. To permanently suppress actions for an alert, open the actions menu and select **Mark as untracked**.
 
 To affect the behavior of the rule rather than individual alerts, check out [Snooze and disable rules](create-manage-rules.md#controlling-rules).
+
+## Clean up alerts [clean-up-alerts]
+
+```{applies_to}
+stack: preview 9.1 
+serverless: preview
+```
+
+Manage the size of alert indices in your space by clearing out alerts that are older or infrequently accessed. You can do this by running an alert cleanup task, which deletes alerts according to the criteria that you define.
+
+:::{note}
+The alert cleanup task permanently deletes alerts in your `.alert-*` indices. Make sure to take regular snapshots of your cluster to backup your alert data in case you ever need to restore it.
+:::
+
+### Requirements [clean-up-alerts-reqs]
+
+* To run the alert cleanup task, your role must have `All` privileges for the **Alert deletion feature**. When setting your role’s Kibana privileges, go to **Management > Rule Settings**, enable **Customize sub-feature privileges**, then select `All` for the **Alert deletion** feature.
+* Alerts in your space must be older than a day. The minimum threshold for the alert cleanup task is one day.  
+
+### Run the alert cleanup task [run-alert-clean-up-task]
+
+Remove old or rarely-accessed alerts in your space by running an alert cleanup task, which deletes alerts according to the criteria that you define. Alerts that are attached to cases are not deleted. 
+
+1. Open the Rules page by going to **Stack Management > Alerts and Insights > Rules** in the main menu or using the global search field.
+2. Click **Settings** to open the settings for all rules in the space.
+3. In the **Clean up alert history** section, click **Clean up**.
+4. Define criteria for the alert cleanup task. You can choose to delete alerts based on whether they are active or inactive, and meet a certain age. For example, if you select active alerts and specify 2 years, the cleanup task will delete alerts that are active and more than 2 years old
+
+   * **Active alerts**: Active alerts haven’t had their statuses changed since they were initially generated. 
+   * **Inactive alerts**: Inactive alerts have had their statuses changed to recovered, closed, acknowledged, or untracked. 
+
+5. Enter **Delete** to verify that you want to run the alert cleanup task, then click **Run cleanup task**.  
+
+A message confirming that the alert cleanup task has started appears. Refer to the `Last cleanup task: details` field in the alert cleanup modal to see when the task last ran.
@@ -7,7 +7,7 @@ products:
   - id: cloud-serverless
 ---
 
-# View alerts [observability-view-alerts]
+# View and manage alerts [observability-view-alerts]
 
 ::::{note}
 
@@ -50,7 +50,7 @@ From the **Alerts** table, you can click on a specific alert to open the alert d
 :screenshot:
 :::
 
-There are three common alert statuses:
+There are four common alert statuses:
 
 `active`
 :   The conditions for the rule are met and actions should be generated according to the notification settings.
@@ -122,4 +122,13 @@ To add an alert to a new case:
 To add an alert to an existing case:
 
 1. Select **Add to existing case**.
-2. Select the case where you will attach the alert. A confirmation message displays.
+2. Select the case where you will attach the alert. A confirmation message displays.
+
+## Clean up alerts [clean-up-alerts-obs]
+
+```{applies_to}
+stack: preview 9.1 
+serverless: preview
+```
+
+Manage the size of alert indices in your space by clearing out alerts that are older or infrequently accessed. You can do this by [running an alert cleanup task](../../../explore-analyze/alerts-cases/alerts/view-alerts.md#clean-up-alerts), which deletes alerts according to the criteria that you define.
@@ -299,3 +299,12 @@ This Timeline template uses the `host.name: "{host.name}"` dropzone filter in th
 ::::{note}
 Refer to [Timeline](/solutions/security/investigate/timeline.md) for information on creating Timelines and Timeline templates. For information on how to add Timeline templates to rules, refer to [Create a detection rule](/solutions/security/detect-and-alert/create-detection-rule.md).
 ::::
+
+## Clean up alerts [clean-up-alerts-sec]
+
+```{applies_to}
+stack: preview 9.1 
+serverless: preview
+```
+
+Manage the size of alert indices in your space by clearing out alerts that are older or infrequently accessed. You can do this by [running an alert cleanup task](../../../explore-analyze/alerts-cases/alerts/view-alerts.md#clean-up-alerts), which deletes alerts according to the criteria that you define.